Werk #15194: Fix command injection via RestAPI / Password Store

Component Core & setup
Title Fix command injection via RestAPI / Password Store
Date Aug 2, 2023
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p8 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p32 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p38 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site.

This issue was found during internal code review.

Affected Versions: * 2.0.0 * 2.1.0 * 2.2.0 prior to version 2.2.0p4

Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889.

Indicators of Compromise: Check the password store for passwords with unusual identifiers, review add-password events in the audit log.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We have assigned CVE CVE-2023-31209.

Changes: This Werk adds proper sanitization of the affected parameter on core commands.

To the list of all Werks